Provisioning
SCIM 2.0
User Sync
IPS

SAP Identity Provisioning Service (IPS)

Automated user and group provisioning across SAP BTP and SAP applications using the SCIM 2.0 protocol. Synchronise identities from corporate directories to BTP subaccounts, IAS, and SAP cloud applications.

IPS Provisioning Flow — Source to Target Systems
Rendering diagram…

Executive Summary

SAP IPS automates the lifecycle management of user identities across SAP's cloud portfolio. It reads from source systems (Active Directory, LDAP, SuccessFactors) and provisions users and groups to target systems (IAS, BTP subaccounts, S/4HANA Cloud, etc.) using the SCIM 2.0 protocol. It eliminates manual user management and ensures consistent access control across all SAP systems.

IPS is bundled with SAP BTP and available in the BTP Cockpit under Services → Identity Provisioning. It operates as a managed cloud service — no infrastructure to manage, with 150+ pre-built connectors for SAP and third-party systems.

IPS Architecture Concepts

Source SystemsWhere IPS reads identity data: Active Directory (LDAP/SCIM), SAP SuccessFactors, IAS, SAP AS ABAP, Microsoft Entra ID, Okta, and 80+ more connectors.
Target SystemsWhere IPS writes identity data: IAS, BTP Subaccount (Role Collections), S/4HANA Cloud, SuccessFactors, SAP Build Work Zone, and 70+ more.
Provisioning JobsScheduled or manual jobs that read from the source and write to the target. Each job runs a read phase, a transformation phase, and a write phase.
Provisioning TypesReal-time provisioning (triggered by source system events) or Scheduled (batch — hourly, daily, weekly). Real-time requires the source system to support SCIM events.
TransformationsJSON-based mapping rules that convert source system SCIM attributes to the target system schema. Supports value mapping, conditional logic, and expression functions.
FilteringCondition-based filters to include/exclude users and groups from provisioning. Example: only provision users in the SAP-BTP-* AD security groups.
Delta SyncAfter the initial full sync, subsequent runs only process changed records (created/modified/deleted since the last run). Efficient for large directories.
DeprovisioningWhen a user is deleted or deactivated in the source system, IPS removes the user from target systems. Critical for joiner/mover/leaver compliance.
Proxy ModeIPS can act as a SCIM proxy layer — receiving SCIM requests from one system and forwarding to another, enabling real-time sync without polling.

IPS Transformation Rules — JSON Mapping Example

Group-to-Role Collection mapping
The valueMapping transformation type maps source AD group names to BTP Role Collection names. This is the core pattern for automated role assignment — users inherit Role Collections based on their AD group memberships.
ips-transformation.json
1{
2  "user": {
3    "mappings": [
4      {
5        "sourcePath": "$.userName",
6        "targetPath": "$.userName"
7      },
8      {
9        "sourcePath": "$.name.givenName",
10        "targetPath": "$.name.givenName"
11      },
12      {
13        "sourcePath": "$.name.familyName",
14        "targetPath": "$.name.familyName"
15      },
16      {
17        "sourcePath": "$.emails[0].value",
18        "targetPath": "$.emails[0].value",
19        "targetVariable": "emailAddress"
20      },
21      {
22        "sourceVariable": "entityIdSourceSystem",
23        "targetPath": "$.id"
24      },
25      {
26        "type": "valueMapping",
27        "sourcePath": "$.groups[*].display",
28        "targetPath": "$.groups[*].value",
29        "defaultValue": "employee",
30        "valueMappings": [
31          { "key": ["BTP-Developers"], "mappedValue": "Developer" },
32          { "key": ["BTP-Admins"], "mappedValue": "SubaccountAdministrator" }
33        ]
34      }
35    ]
36  }
37}

Provisioning Lifecycle: Joiner / Mover / Leaver

Joiner
  1. 1.New employee created in AD
  2. 2.IPS detects new user in delta sync
  3. 3.User provisioned to IAS with attributes
  4. 4.AD groups mapped to BTP Role Collections
  5. 5.User can access BTP apps immediately
Mover
  1. 1.Employee changes department in AD
  2. 2.AD group membership updated by HR
  3. 3.IPS detects changed group attributes
  4. 4.BTP Role Collections updated accordingly
  5. 5.Old role collections removed, new ones added
Leaver
  1. 1.Employee account disabled in AD
  2. 2.IPS detects disabled user in delta sync
  3. 3.User deprovisioned from IAS
  4. 4.All BTP Role Collections removed
  5. 5.Access revoked within one sync cycle (4h)

Enterprise Example: DEWA Azure AD → BTP Provisioning

DEWA IPS Configuration
DEWA uses IPS to sync 50,000 Azure AD users to IAS (nightly scheduled full sync + 4-hour delta sync). AD security groups (SAP-BTP-Developers, SAP-BTP-Admins, SAP-S4-Viewers) are mapped to BTP Role Collections via JSON transformation rules. When an employee leaves DEWA, their AD account is disabled → IPS detects the change in the next delta sync → user is deprovisioned from IAS and all BTP subaccounts within 4 hours, meeting UAE PDPL data subject access requirements.

Best Practices

Test transformations in IPS test console first

The IPS admin console provides a transformation test mode. Always validate mapping rules against sample records before enabling real-time or scheduled sync.

Use group-based provisioning for scalability

Provision by group membership (AD security groups → Role Collections), not individual users. Group-based assignments scale to tens of thousands of users.

Schedule: monthly full sync + 4-hour delta sync

Full sync is resource-intensive. Run it monthly for reconciliation; use delta sync every 4 hours for near-real-time joiner/mover/leaver processing.

Store IPS credentials in BTP Credential Store

Never configure source/target system credentials inline in the IPS admin console. Use the BTP Credential Store service for encrypted, rotatable credential management.

Configure email notifications for job failures

Provisioning job failures can leave users without access for hours. Email or webhook notifications on failure ensure rapid response.

Common Pitfalls

Running full sync too frequently
Full sync reads every user from the source system — can cause significant load on AD domain controllers. Limit full sync to once per day or weekly.
Not configuring deprovisioning rules
Without deprovisioning, terminated employees retain BTP access indefinitely. Configure deprovisioning to remove role assignments when users are disabled in AD.
User-level mapping instead of group-to-role mapping
Mapping individual user attributes to Role Collections does not scale. AD group membership is the correct source for BTP Role Collection assignments.
Incorrect SCIM endpoint URL configuration
A wrong SCIM endpoint URL causes silent failures — IPS reports success but no users are provisioned. Always validate with a manual test run first.

Security Considerations

IPS runs within BTP — it never stores user passwords, only attributes. Apply these security controls:

Use OAuth2 client credentials (not Basic Auth) for target system connections
Store all IPS system credentials in the BTP Credential Store service — not inline in IPS config
Enable provisioning job audit logs and monitor for failed or partial provisioning runs
Configure deprovisioning to remove all role assignments — not just flag the user as inactive
Review IPS provisioning logs weekly for unexpected user additions or group mapping failures
Restrict IPS admin access to the Identity Provisioning Administrator role — not SubaccountAdministrator

References

SAP IPS documentation
Complete SAP Identity Provisioning Service reference and administration guide
IPS transformations guide
JSON transformation syntax, functions, and examples
IPS connector catalog
Full catalog of 150+ supported source and target system connectors
IPS admin console
Accessing IPS via BTP Cockpit → Services → Identity Provisioning